From dad27daa229c1791c530cd6e5343956a7ea9e61b Mon Sep 17 00:00:00 2001 From: Jakub Jelinek Date: Thu, 19 May 2016 14:02:19 +0200 Subject: [PATCH] backport: cp-demangle.c (d_dump): Fix syntax error. Backported from mainline 2015-07-13 Mikhail Maltsev * cp-demangle.c (d_dump): Fix syntax error. (d_identifier): Adjust type of len to match d_source_name. (d_expression_1): Fix out-of-bounds access. Check code variable for NULL before dereferencing it. (d_find_pack): Do not recurse for FIXED_TYPE, DEFAULT_ARG and NUMBER. (d_print_comp_inner): Add NULL pointer check. * testsuite/demangle-expected: Add new testcases. From-SVN: r236454 --- libiberty/ChangeLog | 10 +++++++++ libiberty/cp-demangle.c | 24 ++++++++++++++++----- libiberty/testsuite/demangle-expected | 30 +++++++++++++++++++++++++++ 3 files changed, 59 insertions(+), 5 deletions(-) diff --git a/libiberty/ChangeLog b/libiberty/ChangeLog index 87dd211cf7a0..f112f762a1eb 100644 --- a/libiberty/ChangeLog +++ b/libiberty/ChangeLog @@ -1,6 +1,16 @@ 2016-05-19 Jakub Jelinek Backported from mainline + 2015-07-13 Mikhail Maltsev + + * cp-demangle.c (d_dump): Fix syntax error. + (d_identifier): Adjust type of len to match d_source_name. + (d_expression_1): Fix out-of-bounds access. Check code variable for + NULL before dereferencing it. + (d_find_pack): Do not recurse for FIXED_TYPE, DEFAULT_ARG and NUMBER. + (d_print_comp_inner): Add NULL pointer check. + * testsuite/demangle-expected: Add new testcases. + 2014-08-29 Andrew Burgess * cp-demangle.c (d_dump): Only access field from s_fixed part of diff --git a/libiberty/cp-demangle.c b/libiberty/cp-demangle.c index 4ecdb1ee439e..fc58050e4bc2 100644 --- a/libiberty/cp-demangle.c +++ b/libiberty/cp-demangle.c @@ -419,7 +419,7 @@ static struct demangle_component *d_source_name (struct d_info *); static long d_number (struct d_info *); -static struct demangle_component *d_identifier (struct d_info *, int); +static struct demangle_component *d_identifier (struct d_info *, long); static struct demangle_component *d_operator_name (struct d_info *); @@ -715,7 +715,7 @@ d_dump (struct demangle_component *dc, int indent) case DEMANGLE_COMPONENT_FIXED_TYPE: printf ("fixed-point type, accum? %d, sat? %d\n", dc->u.s_fixed.accum, dc->u.s_fixed.sat); - d_dump (dc->u.s_fixed.length, indent + 2) + d_dump (dc->u.s_fixed.length, indent + 2); break; case DEMANGLE_COMPONENT_ARGLIST: printf ("argument list\n"); @@ -1656,7 +1656,7 @@ d_number_component (struct d_info *di) /* identifier ::= <(unqualified source code identifier)> */ static struct demangle_component * -d_identifier (struct d_info *di, int len) +d_identifier (struct d_info *di, long len) { const char *name; @@ -1677,7 +1677,7 @@ d_identifier (struct d_info *di, int len) /* Look for something which looks like a gcc encoding of an anonymous namespace, and replace it with a more user friendly name. */ - if (len >= (int) ANONYMOUS_NAMESPACE_PREFIX_LEN + 2 + if (len >= (long) ANONYMOUS_NAMESPACE_PREFIX_LEN + 2 && memcmp (name, ANONYMOUS_NAMESPACE_PREFIX, ANONYMOUS_NAMESPACE_PREFIX_LEN) == 0) { @@ -3163,6 +3163,8 @@ d_expression_1 (struct d_info *di) struct demangle_component *type = NULL; if (peek == 't') type = cplus_demangle_type (di); + if (!d_peek_next_char (di)) + return NULL; d_advance (di, 2); return d_make_comp (di, DEMANGLE_COMPONENT_INITIALIZER_LIST, type, d_exprlist (di, 'E')); @@ -3237,6 +3239,8 @@ d_expression_1 (struct d_info *di) struct demangle_component *left; struct demangle_component *right; + if (code == NULL) + return NULL; if (op_is_new_cast (op)) left = cplus_demangle_type (di); else @@ -3264,7 +3268,9 @@ d_expression_1 (struct d_info *di) struct demangle_component *second; struct demangle_component *third; - if (!strcmp (code, "qu")) + if (code == NULL) + return NULL; + else if (!strcmp (code, "qu")) { /* ?: expression. */ first = d_expression_1 (di); @@ -4184,6 +4190,9 @@ d_find_pack (struct d_print_info *dpi, case DEMANGLE_COMPONENT_CHARACTER: case DEMANGLE_COMPONENT_FUNCTION_PARAM: case DEMANGLE_COMPONENT_UNNAMED_TYPE: + case DEMANGLE_COMPONENT_FIXED_TYPE: + case DEMANGLE_COMPONENT_DEFAULT_ARG: + case DEMANGLE_COMPONENT_NUMBER: return NULL; case DEMANGLE_COMPONENT_EXTENDED_OPERATOR: @@ -4419,6 +4428,11 @@ d_print_comp_inner (struct d_print_info *dpi, int options, local_name = d_right (typed_name); if (local_name->type == DEMANGLE_COMPONENT_DEFAULT_ARG) local_name = local_name->u.s_unary_num.sub; + if (local_name == NULL) + { + d_print_error (dpi); + return; + } while (local_name->type == DEMANGLE_COMPONENT_RESTRICT_THIS || local_name->type == DEMANGLE_COMPONENT_VOLATILE_THIS || local_name->type == DEMANGLE_COMPONENT_CONST_THIS diff --git a/libiberty/testsuite/demangle-expected b/libiberty/testsuite/demangle-expected index f8420efac901..4f793c469670 100644 --- a/libiberty/testsuite/demangle-expected +++ b/libiberty/testsuite/demangle-expected @@ -4091,6 +4091,36 @@ void g<1>(A<1>&, B(1)>&) _ZNKSt7complexIiE4realB5cxx11Ev std::complex::real[abi:cxx11]() const # +# Some more crashes revealed by fuzz-testing: +# Check for NULL pointer when demangling trinary operators +--format=gnu-v3 +_Z1fAv32_f +_Z1fAv32_f +# Do not overflow when decoding identifier length +--format=gnu-v3 +_Z11111111111 +_Z11111111111 +# Check out-of-bounds access when decoding braced initializer list +--format=gnu-v3 +_ZDTtl +_ZDTtl +# Check for NULL pointer when demangling DEMANGLE_COMPONENT_LOCAL_NAME +--format=gnu-v3 +_ZZN1fEEd_lEv +_ZZN1fEEd_lEv +# Handle DEMANGLE_COMPONENT_FIXED_TYPE in d_find_pack +--format=gnu-v3 +_Z1fDpDFT_ +_Z1fDpDFT_ +# Likewise, DEMANGLE_COMPONENT_DEFAULT_ARG +--format=gnu-v3 +_Z1fIDpZ1fEd_E +_Z1fIDpZ1fEd_E +# Likewise, DEMANGLE_COMPONENT_NUMBER +--format=gnu-v3 +_Z1fDpDv1_c +f((char __vector(1))...) +# # Ada (GNAT) tests. # # Simple test. -- 2.47.2